discourse/spec/lib/freedom_patches/web_push_spec.rb
Alan Guo Xiang Tan 3c49c4ee35 SECURITY: Monkey-patch web-push gem to use safer HTTP client
`FinalDestination::HTTP` is our patch of `Net::HTTP` which defend us
against SSRF and DNS rebinding attacks.
2023-03-16 16:25:48 -06:00

61 lines
1.6 KiB
Ruby

# frozen_string_literal: true
klass = defined?(WebPush) ? WebPush : Webpush
RSpec.describe klass do
before do
FinalDestination::SSRFDetector.allow_ip_lookups_in_test!
WebMock.enable!(except: [:final_destination])
end
after do
WebMock.enable!
FinalDestination::SSRFDetector.disallow_ip_lookups_in_test!
end
it "should filter endpoint hostname through our SSRF detector" do
klass::Request.any_instance.expects(:encrypt_payload)
klass::Request.any_instance.expects(:headers)
stub_ip_lookup("example.com", %W[0.0.0.0])
expect do
klass.payload_send(
endpoint: "http://example.com",
message: "test",
p256dh: "somep256dh",
auth: "someauth",
vapid: {
subject: "someurl",
public_key: "somepublickey",
private_key: "someprivatekey",
},
)
end.to raise_error(FinalDestination::SSRFDetector::DisallowedIpError)
end
it "should send the right request if endpoint hostname resolves to a public ip address" do
klass::Request.any_instance.expects(:encrypt_payload)
klass::Request.any_instance.expects(:headers)
stub_ip_lookup("example.com", %W[52.125.123.12])
success = Class.new(StandardError)
TCPSocket.stubs(:open).with { |addr| "52.125.123.12" == addr }.once.raises(success)
expect do
klass.payload_send(
endpoint: "http://example.com",
message: "test",
p256dh: "somep256dh",
auth: "someauth",
vapid: {
subject: "someurl",
public_key: "somepublickey",
private_key: "someprivatekey",
},
)
end.to raise_error(success)
end
end